Systems and methods for indicating deployment of application features

ABSTRACT

Provided are systems and methods for indicating deployment of application features. In one embodiment, a method is provided that includes determining available features of a current deployment of an application for receiving machine-generated data from one or more data sources of a data system, determining un-deployed features of the current deployment of the application, wherein the un-deployed features comprise one or more of the available features that is configured to use input data from a data source and wherein the input data is not available to the feature in the current deployment of the application, and causing display of a deployment graphical user interface (GUI) that comprises an indication of the un-deployed features.

TECHNICAL FIELD

The present disclosure is generally directed to deploying applications,and more particularly, to systems and methods for indicating deploymentof application features.

BACKGROUND

Modern data centers often comprise thousands of hosts that operatecollectively to service requests from even larger numbers of remoteclients. During operation, components of these data centers can producesignificant volumes of machine-generated data. The machine-generateddata is often stored in searchable indexes. Users typically employ asearch application to search the indexed data, access reports on theindexed data, and the like. In some instances, a search applicationincludes one or more features (also referred to as “content objects” or“knowledge objects”) that can use data (e.g., received from one or moredata sources) to generate visualizations of the data, such as such as adisplayed metrics, tables, charts, graphs and the like. In the contextof an enterprise security (ES) application that consolidates data acrossan organizations network, for example, one feature may indicate a numberof unsuccessful user attempts to log-on to the organizations network.Such a reporting feature may rely on receiving data regarding userlog-on attempts from one or more of the organizations authenticationservers that process log-on attempts. In some instances, some of thefeatures available with an application may not be deployed. For example,if a system executing the application is not configured to receive datafrom an authentication server such that the log-on data relied on by thefeature is not being provided, then the feature may not be deployedbecause it does not have access to the data it needs. In certainsituations, it can be helpful for a user to know the deployment statusof features. In the context of ES, for example, a system administratormay want to know that he/she is utilizing as many available applicationfeatures as possible to monitor potential breaches of security.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an example data processing environment in accordancewith the disclosed embodiments.

FIG. 2A is a flowchart that illustrates an example method for indicatingdeployment of application features in accordance with the disclosedembodiments.

FIG. 2B is a flowchart that illustrates an example method for providingan interactive deployment completeness graphical user interface (GUI) inaccordance with the disclosed embodiments.

FIGS. 3A-3E are illustrations of example GUIs in accordance with thedisclosed embodiments.

FIG. 4 is a diagram that illustrates an example computer system inaccordance with the disclosed embodiments.

FIG. 5 presents a block diagram of an example event-processing system inaccordance with the disclosed embodiments.

FIG. 6 presents a flowchart illustrating an example of how indexersprocess, index, and store data received from forwarders in accordancewith the disclosed embodiments.

FIG. 7 presents a flowchart illustrating an example of how a search headand indexers perform a search query in accordance with the disclosedembodiments.

FIG. 8 presents a block diagram of an example system for processingsearch requests that uses extraction rules for field values inaccordance with the disclosed embodiments.

FIG. 9 illustrates an example search query received from a client andexecuted by search peers in accordance with the disclosed embodiments.

FIG. 10A illustrates an example search screen in accordance with thedisclosed embodiments.

FIG. 10B illustrates an example data summary dialog that enables a userto select various data sources in accordance with the disclosedembodiments.

FIG. 11A illustrates an example key indicators view in accordance withthe disclosed embodiments.

FIG. 11B illustrates an example incident review dashboard in accordancewith the disclosed embodiments.

FIG. 11C illustrates an example proactive monitoring tree in accordancewith the disclosed embodiments.

FIG. 11D illustrates an example screen displaying both log data andperformance data in accordance with the disclosed embodiments.

DETAILED DESCRIPTION

The present disclosure is directed to indicating deployment ofapplication features. As described herein, in some embodiments, anapplication may include one or more available features that can bedeployed, a determination can be made as to which of the availablefeatures are deployed and/or un-deployed in a current deployment of theapplication, and an indication of the un-deployed and/or un-deployedfeatures can be provided, for example, via an interactive deploymentcompleteness GUI. Such an indication may enable a user to easilydetermine, for example, what features are and are not properly setup foruse in a current configuration of the application (also referred to as a“current deployment of the application”). For example, in the context ofan enterprise security (ES) application that provides for thecollection, searching, and reporting of machine-generated data, such asdata received from an organizations servers and the like, determinationscan be made as to what features are available (e.g., an “unsuccessfullog-on” key indicator feature that can indicate a number of unsuccessfulattempts to log-on to one of the organization's applications in the last24 hours, a “current user sessions” key indicator feature that canindicate a number of current user sessions on the organization'snetwork, a “malware dashboard” feature that can indicate a trend ofmalicious activity, such as a rolling plot of a rate of infections ofthe company's system in the last week, and/or the like), what featuresare deployed (e.g., properly setup for use in a current deployment ofthe application), and what features are un-deployed (e.g., not properlysetup for use in a current deployment of the application). A deploymentcompleteness GUI can be displayed to a user, such as a systemadministrator, to indicate the features that are deployed and/or thefeatures that are un-deployed in the current deployment of the ESapplication. In some embodiments, for some or all of the un-deployedfeatures, information regarding deploying the un-deployed feature (e.g.,one or more conditions or suggestions for deploying the un-deployedfeature) can be determined, and the deployment completeness GUI cancommunicate the information the information. Thus, a user can easilydetermine what features are un-deployed and/or how to configure thesystem to deploy the features. For example, if it is determined that theunsuccessful log-on key indicator is not deployed because theapplication is currently not receiving log-on data for the indicator,such log-on data generated by an authentication, the deployment profiledashboard may include suggestions for configuring the application toingest log-on data and/or may provide an interactive link to a page forconfiguring the application to ingest log-on data from an authenticationserver.

In some embodiments, a feature (also referred to as “content objects” or“knowledge objects”) can include content for communicating informationabout data received from one or more data sources. For example, aunsuccessful log-on key indicator feature may display a value indicatorthat is a count of unsuccessful attempts to log-on to one of theorganization's applications in the last 24 hours, a trend amount thatdisplays a change in the count over a period of time, a trend indicatorthat indicates an increasing or decreasing trend in the count, and/orthe like. In some embodiments, a feature can rely on input data (e.g.,machine-generated data) provided by one or more data sources for use inpopulating the content of the object. For example, an unsuccessfullog-on key indicator feature may rely on log-on data provided by one ormore authentication servers. In some embodiments, a feature may executeone or more predefined routines to processes the input data and generatecontent based on the input data. For example, the machine-generated datamay be parsed, indexed and stored to generate an index of time-stampedevents, the feature may be associated with a predefined search that isexecuted to locate a relevant subset of the events, and the subset ofevents can be processed to generate metrics that are used to populatethe content displayed for the feature. Examples of searches ofmachine-generated data that can be employed to identify data used topopulate features, including searches employ late binding schema, aredescribed in more detail below with regard to at least FIGS. 5-11D. Inthe context of the unsuccessful log-on key indicator feature, forexample, the feature may include a predefined search to locate eventsindicating unsuccessful user log-on attempts, and can use the identifiedevents to determine the values needed to populate the content displayedby the feature, such as the number of unsuccessful log-on attempts inthe last 24 hours. Although certain features are described herein forthe purpose of illustration, embodiments can include any variety offeatures. Some example of features are described in more detail belowwith regard to at least FIGS. 10A-11D, including a detailed descriptionof key indicators with regard to at least FIG. 11A.

In the context of machine-generated data, data sources can include, forexample, applications, application servers, web servers, databases,networks, virtual machines, telecom equipment, operating systems,sensors, and/or the like. Although certain data sources are describedherein for the purpose of illustration, embodiments can include anyvariety of data sources. Some example of data sources are described inmore detail below with regard to at least FIGS. 5-11D.

A current deployment of an application may refer to a currentconfiguration of the application, including, for example, currentsoftware and hardware configurations of the system on which theapplication is being executed. For example, a current deployment of anapplication may refer to settings for the application, add-on software(e.g., applications) installed to work with the application, the typeand configuration of hardware that is being employed by the application(e.g., including data sources that are configured to provide input datato for the application and its features), and/or the like. Continuingwith the above example, a first deployment of an ES application mayrefer to a configuration in which the ES application is installed on anapplication server and is receiving log-on data generated by a firstauthentication server, but the application server does not have an“add-on” mal-ware application installed that can be used to ingestinfection data (e.g., from third party virus software installed on usercomputers throughout the organization) that can be used to populate amalware dashboard feature. In such an application deployment, theunsuccessful log-on key indicator may be determined to be deployed basedon the application at least being configured to ingest log-on data thatcan be used to populate the feature, but the malware dashboard featuremay not be determined to be deployed because the infection data for thefeature is not being ingested and thus the feature cannot be populated.A second deployment of the ES application may refer to a configurationin which the add-on mal-ware application is installed such that the ESapplication can receive the infection data. In such an applicationdeployment, both of the unsuccessful log-on key indicator and themalware dashboard feature may be determined to be deployed based on theapplication at least being configured to ingest the log-on and infectiondata that can be used to populate the respective features.

As further described herein, in some embodiments, determining whether afeature is deployed or un-deployed in a current deployment of theapplication can include determining whether the feature is properlyconfigured to receive or is otherwise receiving the data it needs topopulate the associated content in the current deployment of theapplication. For example, it may be determined that the unsuccessfullog-on key indicator feature is deployed in a current deployment of theapplication if the application is configured to receive log-on dataand/or is receiving log-on data during use in the current deployment ofthe application. Conversely, it may be determined that the unsuccessfullog-on key indicator feature is not deployed in a current deployment ofthe application if the application is not properly configured to receivelog-on data and/or is not receiving log-on data during use in thecurrent deployment of the application (e.g., in a scenario in which,despite the application being configured correctly, the authenticationserver is not sending log-on data to the application).

As further described herein, in some embodiments, a deploymentcompleteness GUI (e.g., including a deployment profile overview GUI 310described in more detail below with regard to at least FIGS. 3A-3E) foran application can include an indication of deployed features and/orun-deployed features for a current deployment of the application. Forexample, a deployment completeness GUI for an application can include adeployment percentage indicative of a percentage of the availablefeatures that are deployed in a current deployment of the application.If, for example, there are 1000 available features and 990 of thefeatures are deployed (with 10 of the available features beingun-deployed), then the deployment completeness GUI may display adeployment percentage value of 99%. In some embodiments, a deploymentcompleteness GUI for an application can include an indication of anumber of the un-deployed features in a current deployment of theapplication. If, for example, there are 1000 available features and 990of the features are deployed (with 10 of the available features beingun-deployed), then the deployment completeness GUI may display anun-deployed feature value of 10.

In some embodiments, a feature can be related to a data model. A datamodel can include one or more “objects” (also referred to as “data modelobjects”) that define or otherwise correspond to a specific set of data.A data model object may be defined by: (1) a set of search constraints;and (2) a set of fields. Thus, a data model object can be used toquickly search data to identify a set of events (e.g., a set of eventsthat satisfy the set of search constraints of the data model object) anda set of fields associated with the set of events (e.g., the set offields of the data model object that are in the set of eventsidentified). For example, an “e-mails processed” data model object mayspecify a search for events relating to e-mails that have been processedby a given e-mail server, and specify a set of fields (e.g., date, size,etc.) that are associated with the events. A user can use the “e-mailsprocessed” data model object to quickly identify a listing of the valuesfor the set of fields (e.g., date, size, etc.) of the events relating toe-mails processed by the given e-mail server. By using a data model, theuser may not have to recreate the associated search or re-identify thefields of interest. Example embodiments of data models and example usageof data models is described in U.S. patent application Ser. No.14/503,335 titled “Generating Reports from Unstructured Data” and filedon Sep. 30, 2014, which is hereby incorporated by reference in itsentirety.

As further described herein, in some embodiments, one or more featurescan be mapped to one or more data models. A feature may be mapped, forexample, to a data model that can employ data associated with thefeature. For example, the unsuccessful log-on key indicator may bepopulated with values based on tallying a number of events returned inresponse to predefined search for events provided by one or moreauthentication servers that have a timestamp associated with the last 24hours that indicate an unsuccessful log-on attempt. If an authenticationdata model can make use of the same search, then the unsuccessful log-onkey indicator feature may be mapped to the authentication data model. Asimilar mapping can be made between some or all of the data models andfeatures of the application. A data model may be referred to as“un-deployed” in a current deployment of an application if all of thefeatures mapped to the data model are un-deployed in the currentdeployment of the application. A data model may be referred to as“deployed” in a current deployment of the application if at least one ofthe features mapped to the data model is deployed in the currentdeployment of the application.

As further described herein, in some embodiments, a deploymentcompleteness GUI for an application can include an indication ofdeployed data models and/or un-deployed data models for a currentdeployment of the application. For example, a deployment completenessGUI for an application can include an un-deployed data model indicatorindicative of a number of the un-deployed data models in a currentdeployment of the application. If, for example, there are 100 datamodels and 98 of the data models are deployed (with 2 of the data modelsbeing un-deployed), then the deployment completeness GUI may display anun-deployed data model value of 2. In some embodiments, a deploymentcompleteness GUI for an application can include a listing of data modelsthat includes a data model status for each of the data models,indicating whether the respective data model is deployed or un-deployedin the current deployment of the application.

As further described herein, in some embodiments, each of data modelslisted in a deployment completeness GUI may include interactive elementsthat are selectable to navigate to display of a data model deploymentprofile that lists the features mapped to the data model. In someembodiments, if a feature mapped to the data model is un-deployed, thenthe data model deployment profile can also display deployment contentthat communicates one more conditions for deploying the feature. Thedeployment content can include, for example, a suggested course ofaction that can be taken to deploy the feature. The deployment contentcan include, for example, content or links to content that providesinstructions for configuring the application to intake data relied on bythe un-deployed feature, installing an application to intake data reliedon by the un-deployed feature, purchasing additional software orhardware needed to intake data relied on by the un-deployed feature,configuring hardware for a data source such that it can provide the datarelied on by the un-deployed feature, and/or the like. For example, ifthe unsuccessful log-on key indicator is un-deployed, then thedeployment content for the feature may indicate that it needs to receivelog-on data, and include a link to instructions for configuring the ESapplication to receive log-on data from one or more authenticationservers and/or the like.

Although certain embodiments are described with regard to certain typesof applications (e.g., ES applications) and/or application features(e.g., an unsuccessful log-on key indicator feature) for the purpose ofillustration, the described embodiments can be employed with anysuitable applications and features.

Turning now to the figures, FIG. 1 illustrates an example dataprocessing environment (“environment”) 100 in accordance with thedisclosed embodiments. In some embodiments, the environment 100 caninclude a search system 102 and a client device 104 communicativelycoupled to one another via a communications network 106. The clientdevice 106 may be used or otherwise accessed by a user 108, such as asystem administrator or a customer. The search system 102 may include anapplication server 110 (e.g., a search server) communicatively coupledto a back-end search system 120. The back-end search system 120 may bethe same or similar to that of search system 1100 described in moredetail below with regard to at least FIG. 5. For example, the back-endsearch system 120 may include data sources, forwarders, indexers, indexdata stores, search heads and/or the like components that facilitate theintake, storage and searching of machine-generated data. In someembodiments, the back-end search system 120 is communicatively coupledone or more data sources 122.

The network 106 may include an element or system that facilitatescommunication between the entities of the environment 100, including,for example, the application server 110, the one or more client devices104, and/or the like. The network 106 may include an electroniccommunications network, such as the Internet, a local area network(LAN), a wide area network (WAN), a wireless local area network (WLAN),a cellular communications network, and/or the like. In some embodiments,the network 106 can include a wired or a wireless network. In someembodiments, the network 106 can include a single network or acombination of networks.

A client device 104 may include any variety of electronic devices. Insome embodiments, a client device 104 can include a device capable ofcommunicating information via the network 106. A client device 104 mayinclude one or more computer devices, such as a desktop computer, aserver, a laptop computer, a tablet computer, a wearable computerdevice, a personal digital assistant (PDA), a smart phone, and/or thelike. In some embodiments, a client device 104 may be a client of theapplication server 110. In some embodiments, a client device 104 caninclude various input/output (I/O) interfaces, such as a display (e.g.,for displaying graphical user interfaces (GUIs)), an audible output userinterface (e.g., a speaker), an audible input user interface (e.g., amicrophone), an image acquisition interface (e.g., a camera), akeyboard, a pointer/selection device (e.g., a mouse, a trackball, atouchpad, a touchscreen, a gesture capture or detecting device, or astylus), and/or the like. In some embodiments, a client device 104 caninclude general computing components and/or embedded systems optimizedwith specific components for performing specific tasks. In someembodiments, a client device 104 can include programs/applications thatcan be used to generate a request for content, to provide content, torender content, and/or to send and/or receive requests to and/or fromother devices via the network 106. For example, a client device 104 mayinclude an Internet browser application or a local data search andreporting application that facilitates communication with servers, suchas the application server 110, via the network 106. In some embodiments,a program or application of a client device 104 can include programmodules having program instructions that are executable by a computersystem to perform some or all of the functionality described herein withregard to a client device 104. In some embodiments, a client device 104can include one or more computer systems similar to that of the computersystem 1000 described below with regard to at least FIG. 4.

The application server 110 may include a computing device having networkconnectivity and being capable of providing one or more services tonetwork clients, such as a client device 104. These services caninclude, for example, ingesting, processing, storing, monitoring,searching data and/or serving content, such as deployment profile GUIcontent 130. The application server 110 may include an application 140and a data store 142. The application 140 may include, for example, anenterprise application, such as ES application. The application 140 mayprovide for executing some or all of the functionality described hereinwith regard to the application 140 and/or the application server 110.The data store 142 may include a medium for the storage of data thereon.For example, the data store 142 may include a non-transitorycomputer-readable medium storing the application 140 (e.g., storing theexecutable code of the application 140), an application a listing ofavailable features 150, a listing of deployed features 152, a listing ofun-deployed features 154, and a feature-data source mapping 156,feature-data model mapping 158, and/or the like. As described herein alisting of available features 150 may include a listing of features thatcan be deployed with an application (e.g., an unsuccessful log-on keyindicator feature, a current user sessions key indicator feature, amalware dashboard feature, and/or the like).

A listing of deployed features 152 may include a listing of availablefeatures that are deployed in a current deployment of the application. Alisting of un-deployed features 154 may include a listing of availablefeatures that are not deployed in a current deployment of theapplication. A feature-data source mapping 156 may include a mapping ofavailable features 150 to one or more data sources 122. This caninclude, for example, including for each feature, a mapping of one ormore data sources that can be used to provide data relied on by thefeature (e.g., a mapping of the “unsuccessful log-on key indicator”feature to “authentication server”). In some embodiments, thefeature-data source mapping 156 can be based on known solutions and/orconfigurations, including solutions and/or configurations employed byother users and application deployments. For example, if it isdetermined that at least a threshold percentage of deployments of theapplication include populating the unsuccessful log-on key indicatorfeature using log-on data provided by a particular type ofauthentication application executing on an authentication server, thenthe unsuccessful log-on key indicator feature may be mapped to acondition that includes the particular type of authenticationapplication executing on an authentication server. Thus, the mappings offeatures to conditions for an application may be determined based, forexample, on crowd-sourced deployment information for the application. Insome embodiments, the mapping 150 may also include a mapping of one ormore suggestions or conditions for deploying the feature. For example,the unsuccessful log-on key indicator feature may be mapped to log-ondata of an authentication server, and corresponding suggestions toconfigure the application to ingest log-on data, suggested instructionsfor configuring the application to ingest log-on data to ingest log-ondata from an authentication server, a suggestion todownload/purchase/install an application for ingesting log-on data froman authentication server, a link to locations with content to assist inconfiguring the application to ingest log-on data, and/or the like. Afeature-data model mapping 158 may include a mapping of one or moreavailable features 150 to one or more data models, including for eachdata model, a mapping of one or more features (e.g., a mapping of the“unsuccessful log-on key indicator” feature to “authentication” datamodel). Although certain embodiments are described with regard to asingle data store 142 for the purpose of illustration, embodiments caninclude employing multiple data stores 142, such as one or moredistributed data stores 142. Moreover, although certain embodiments aredescribed with regard to a single application server 110 for the purposeof illustration, embodiments can include employing multiple applicationservers 110, such as one or more distributed application servers 110. Insome embodiments, the application server 110 can include one or morecomputer systems similar to that of the computer system 1000 describedbelow with regard to at least FIG. 4.

As noted above, the application server 110 may be in communication withone or more components of a back-end search system 120. In someembodiments, the back-end search system 120 can be similar to that ofsearch system 1100 described in more detail below with regard to atleast FIG. 5. For example, the back-end search system 120 can includeone or more data sources (“sources”) (e.g., sources 1105 of FIG. 5), oneor more forwarders (e.g., forwarders 1101 of FIG. 5), one or moreindexers (e.g., indexers 1102 of FIG. 5), one or more index data stores(e.g., data stores 1103 of FIG. 5), and/or one or more search heads(e.g., search head 1104 of FIG. 5). As described in more detail belowwith regard to at least FIGS. 5-11D, in the context of monitoringmachine-generated data, forwarders may provide for collectingmachine-generated data from one or more data sources, such as datastreaming from packaged and custom applications, application servers,web servers, databases, wire data from networks, virtual machines,telecom equipment, operating systems, sensors, and/or the like. Indexersmay provide for receiving, indexing, storing, and/or searching themachine-generated data received from the forwarders. Search heads mayprovide for servicing search requests (e.g., search requests receivedfrom the application server 110), including distributing search tasks toone or more indexers, receiving one or more search results from the oneor more indexers and merging the search results received from the one ormore indexers. A search head may provide the search results to theapplication server 110. In some embodiments, the application server 110serves search results and reports to the client device 104 forpresentation to the user 108. Although the application server 110 isillustrated as a component that is separate from the back-end searchsystem 120 for the purpose of illustration, embodiments can include theapplication server 110 and/or its functionality being included in orintegrated with one or more components of the back-end search system120. For example, some or all of the components and functionality of theapplication server 110 can be integrated with or provided by a searchhead of the back-end search system 120.

As described herein, the application 140 may include an enterpriseapplication that includes one or more available features 150. Theapplication 140 may deployed on the application server 110, and thedeployment of the application can include configurations of theapplication itself, as well as related software and hardware. Forexample, a deployment of the application 140 can include the applicationand/or the search system 120 being configured to receivemachine-generated data from one or more data sources 122 (e.g., userlog-on data from one or more authentication servers). In someembodiments, the application 140 can identify deployed features 152(e.g., available features 150 that are deployed in a current deploymentof the application 140), and un-deployed features 154 (e.g., availablefeatures 150 that are not deployed in a current deployment of theapplication 140). In some embodiments, the application 140 can serve GUIcontent 130 to the client device 104 for display to the user 108. Insome embodiments, the feature profile GUI content 130 can include one ormore interactive GUIs (e.g., an interactive deployment completeness GUI)that provide an indication of un-deployed features 154 and conditions orsuggested courses of action to deploy the un-deployed features 154.

FIGS. 2A and 2B are flowcharts that illustrate example methods forindicating deployment of application features in accordance with thedisclosed embodiments. FIG. 2A is a flowchart that illustrates anexample method 200 for indicating deployment of application features inaccordance with the disclosed embodiments. FIG. 2B is a flowchart thatillustrates an example method 250 for providing an interactivedeployment completeness graphical user interface (GUI) indicatingdeployment of application features in accordance with the disclosedembodiments. FIGS. 3A-3E are illustrations of example GUIs in accordancewith the disclosed embodiments.

Turning to FIG. 2A, the method 200 may generally include determiningavailable features of a current deployment of an application (block202), determining deployed features of the current deployment of theapplication (block 204), determining un-deployed features of the currentdeployment of the application (block 206), determining conditions todeploy the un-deployed features (block 208), and providing a deploymentcompleteness GUI indicating feature deployment (block 210). In someembodiments some or all of the operations described with regard tomethod 200 can be performed by execution of the application 140 by thesearch server 102.

In some embodiments, determining available features of a currentdeployment of an application (block 202) can include determiningavailable features of an application regardless of whether they are orare not currently deployed. That is, determining available features of acurrent deployment of an application can include determining all of theavailable features of an application. For example, determining availablefeatures of a current deployment of an ES enterprise application 140 mayinclude identifying the unsuccessful log-on key indicator feature (e.g.,for indicating a number of unsuccessful attempts to log-on to one of theorganization's applications in the last 24 hours), the current usersessions key indicator feature (e.g., for indicating a number of currentuser sessions on the organization's network), a malware dashboardfeature (e.g., for indicating a trend of malicious activity, such as avisualization including a rolling plot of a rate of infections of thecompany's system in the last week), and so forth. In some embodiments,determining available features of a current deployment of an applicationcan include updating the listing of available features 150. For example,the unsuccessful log-on key indicator feature, the current user sessionskey indicator feature, the malware dashboard feature, and so forth maybe added to the list of available features 150.

In some embodiments, determining deployed features of the currentdeployment of the application (block 204) and/or determining un-deployedfeatures of the current deployment of the application (block 206) caninclude determining, for each of some or all of the available features,whether the feature is properly configured to receive or is otherwisereceiving the input data it needs to populate the associated content forthe feature in the current deployment of the application. For example,with regard to an unsuccessful log-on key indicator, it may bedetermined that the feature is deployed in a current deployment of theapplication if it is properly configured to and/or is currentlyreceiving log-on data in the current deployment of the application.Thus, for example, it may be determined that the unsuccessful log-on keyindicator is deployed in the current deployment of the application if itis configured to receive log-on data and/or receiving log-on data (e.g.,from one or more authentication servers) during use in the currentdeployment of the application. Conversely, it may be determined that theunsuccessful log-on key indicator feature is not deployed in the currentdeployment of the application if it is not properly configured toreceive log-on data and/or is not receiving log-on data during use inthe current deployment of the application. Thus, for example, it may bedetermined that the unsuccessful log-on key indicator is not deployed inthe current deployment of the application if the current deployment ofthe application is not configured to receive log-on data and/or thelog-on data is not being received during use in the current deploymentof the application (e.g., in a scenario where, despite the applicationbeing configured properly to receive log-on data from an authenticationserver, the authentication server is not sending the log-on data).

As a further example, with regard to a current user sessions keyindicator, it may be determined that the feature is deployed in acurrent deployment of the application if it is properly configured toand/or is currently receiving user session data in the currentdeployment of the application. Thus, for example, it may be determinedthat the current user sessions key indicator is deployed in the currentdeployment of the application if it is configured to receive usersession data and/or receiving user sessions data (e.g., from one or moresecure global desktop (SGD) servers) during use in the currentdeployment of the application. Conversely, it may be determined that thecurrent user sessions key indicator feature is not deployed in thecurrent deployment of the application if it is not properly configuredto receive user sessions data and/or is not receiving user session dataduring use in the current deployment of the application. Thus, forexample, it may be determined that the current user sessions indicatoris not deployed in the current deployment of the application if thecurrent deployment of the application is not configured to receive usersession data and/or the user session data is not being received duringuse in the current deployment of the application (e.g., in a scenariowhere, despite the application being configured properly to receive usersession data from an SGD server, the SGD server is not sending thelog-on data).

In some embodiments, determining deployed features of the currentdeployment of the application and/or determining un-deployed features ofthe current deployment of the application can include updating thelistings deployed features 152 and/or un-deployed features 154accordingly. For example, if the current user sessions key indicatorfeature is determined to be deployed in the current deployment of theapplication 140, then the current user sessions key indicator featurecan be added to the list of deployed features 152. As a further example,if the unsuccessful log-on key indicator feature is determined to beun-deployed in the current deployment of the application 140, then theunsuccessful log-on key indicator feature can be added to the list ofun-deployed features 154. A similar determination and/or update can beperformed for each of the available features 140. Thus, for example,each of the available features may be included in either the list ofdeployed features 152 or the list un-deployed features 154.

In some embodiments, determining conditions to deploy the un-deployedfeatures (block 208) can include determining, for each of some or all ofthe un-deployed features 154, one or more conditions that may besatisfied to deploy the feature. For example, if the unsuccessful log-onkey indicator feature is determined to be un-deployed in the currentdeployment of the application 140 because was determined that it is notconfigured to receive log-on data and/or the log-on data is not beingreceived during use in the current deployment of the application, thenthe condition to deploy the feature may be determined to be configuringthe application to receive log-on data from one or more data sources. Insome embodiments, the condition may be a relatively high-level solution,such as receive log-on data from one or more data sources. This may becommunicated, for example, to a user by simply providing an indicationsuch as “Deploy Feature→Provide Log-on Data”, or “To deploy theunsuccessful log-on key indicator feature, you need to configure yoursystem to provide log-on data from one or more data sources.” In someembodiments, the condition(s) may be a relatively detailed solution,such as receive log-on data from one or more authentication servers,download and install an add-on application (e.g., an authenticationadd-on application) that can receive log-on data from one or moreauthentication servers, contact a vendor (e.g., Oracle) to purchasesoftware or hardware that can generate and provide log-on data, and/orthe like. Although several example conditions are provided for thepurpose of illustration, embodiments can include determining anysuitable conditions for deploying an un-deployed feature.

In some embodiments, determining a condition to deploy an un-deployedfeature can be based on a mapping of one or more conditions to thefeature. The conditions or suggestions for deploying an un-deployedfeature can include some or all of the conditions mapped to the feature.For example, if the feature-data source mapping 156 includes a mappingof the unsuccessful log-on key indicator feature to an input of log-ondata, then the condition can simply include providing log-on data foruse by the feature. In such an embodiment, a corresponding suggestion tothe user 104 can include a suggestion that the user 104 configure theirsystem 102 to provide log-on data for use by the feature. As a furtherexample, if the feature-data source mapping 156 includes a mapping ofthe unsuccessful log-on key indicator feature to an input of log-on datafrom a particular data source, such as an authentication server, thenthe condition can include providing log-on data from the authenticationserver for use by the feature. In such an embodiment, a correspondingsuggestion to the user 104 can include a more detailed suggestion thatthe user 104 configure their system 102 to provide log-on data from anauthentication server for use by the feature. In accordance with theother examples described herein, suggestions to the user can correspondto any variety of conditions mapped to the feature, such as installing afree application, purchasing and installing a paid application,obtaining third party software or hardware, and/or the like. Suchinformation can be provided, for example, in the deployment content 344(e.g., accompanying a feature) as described in more detail below withregard to at least FIG. 3D.

In some embodiments, providing an interactive deployment completenessGUI (also referred to as a “feature management GUI”) indicating featuredeployment (block 210) can include providing an interactive dashboardthat provides indications of deployed features, un-deployed features,deployed data models, and/or un-deployed data models for a currentdeployment of the application. In some embodiments, the dashboard canalso indicate conditions or provide suggestions for courses of actionthat a user can take to deploy one or more un-deployed features. FIGS.3A-3E are illustrations of example deployment completeness GUIs inaccordance with the disclosed embodiments. The GUIs of FIGS. 3A-3E arediscussed in more detail in conjunction with FIG. 2B, which is aflowchart that illustrates an example method 250 for providing aninteractive deployment completeness GUI indicating feature deployment(e.g., block 210) in accordance with the disclosed embodiments.

Referring to method 250 of FIG. 2B, in some embodiments, an applicationmanagement GUI may be displayed (block 252). FIG. 3A illustrates anexample application management GUI 300 in accordance with the disclosedembodiments. In some embodiments, the application management GUI 300 maybe displayed, for example, as a result of the user 108 logging intohis/her account with the system 102. In some embodiments, theapplication management GUI 300 includes a menu selection for “Settings”that, when selected, provides a drop-down menu displaying links tovarious destinations. The links may include a “Deployment Profile” link302. Upon selection of the link 302 (e.g., a selection to navigate to adeployment profile) (block 254), a deployment profile overview GUI maybe displayed (block 256). FIG. 3B illustrates an example deploymentprofile overview GUI 310 in accordance with the disclosed embodiments.As illustrated, the deployment profile overview GUI 310 may includedeployment metrics 312 and a listing of data models 314. The deploymentmetrics 312 may include a feature deployment completeness metric 320, adata model deployment metric 322 and a feature (or “object”) deploymentmetric 324.

The feature deployment completeness metric 320 can include display of adeployment percentage indicative of a percentage of the availablefeatures 150 that are deployed in a current deployment of theapplication. If, for example, there are 1000 available features and 990of the features are deployed (with 10 of the available features beingun-deployed), then the dashboard may display a deployment percentagevalue of 99%. In the illustrated embodiment, the feature deploymentmetric 324 includes a deployment percentage value of 99%, indicatingthat 99% of the features of the corresponding ES application aredeployed in a current deployment of the corresponding ES application. Insome embodiments, the deployment completeness metric 320 can includeother visualizations in place of or in conjunction with the displayedvalue. For example, in the illustrated embodiment, the displayed valueof 99% is accompanied by a progress bar indicating that 99% of thefeatures of the corresponding ES application are deployed in a currentdeployment of the corresponding ES application.

In some embodiments, the data model deployment metric 322 indicates anumber of un-deployed data models in a current deployment of theapplication. If, for example, there are 100 available data models and 99of the data models are deployed (with 1 of the available features beingun-deployed), then the dashboard may display a value of 1. In theillustrated embodiment, the data model deployment metric 322 has a valueof 2, indicating that there are 2 un-deployed data models in the currentdeployment of the corresponding ES application. In some embodiments, thedata model deployment metric 322 can include other visualizationsdisplayed in place of or in conjunction with a displayed value. Forexample, in the illustrated embodiment, the displayed value of 2 isaccompanied by a status indicator including a triangular yellow warningsign (e.g., a warning tick), indicating that at least one of the datamodels of the corresponding ES application is un-deployed in a currentdeployment of the corresponding ES application. If the all of the datamodels are deployed, for example, the value may be “0” and the statusindicator may include a green circle (e.g., an OK tick) with a checkmark indicating that all of the data models of the corresponding ESapplication are deployed in a current deployment of the corresponding ESapplication.

In some embodiments, the feature (or “object”) deployment metric 324indicates a number of the un-deployed features in a current deploymentof the application. If, for example, there are 1000 available featuresand 990 of the features are deployed (with 10 of the available featuresbeing un-deployed), then the dashboard may display a value of 10. In theillustrated embodiment, the feature deployment metric 324 has a value of4, indicating that there are 4 un-deployed features in the currentdeployment of the corresponding ES application. In some embodiments, thefeature deployment metric 324 can include other visualizations displayedin place of or in conjunction with a displayed value. For example, inthe illustrated embodiment, the displayed value of 4 is accompanied by astatus indicator including a triangular yellow warning sign (e.g., awarning tick), indicating that at least one of the features of thecorresponding ES application is un-deployed in a current deployment ofthe corresponding ES application. If the all of the features aredeployed, for example, the value may be “0” and the status indicator mayinclude a green circle (e.g., an OK tick) with a check mark indicatingthat all of the features of the corresponding ES application aredeployed in a current deployment of the corresponding ES application.

In some embodiments, the listing of data models 314 can include aninteractive listing of data models 330 associated with the application.Each row of the listing may correspond to a different data model (e.g.,the “Application_state” data model, the “Authentication” data model, andso forth). Each row may include a corresponding data model statusindicator 332. The data model status indicator 332 may indicate whetherthe corresponding data model is deployed or un-deployed. In someembodiments, a data model that is deployed may be accompanied by acorresponding data model status indicator 332 including a green circle(e.g., a OK tick) with a check mark indicating that all of the featuresmapped to the data model are deployed in a current deployment of thecorresponding application. In some embodiments, a data model that isun-deployed may be accompanied by a corresponding data model statusindicator 332 including a triangular yellow warning sign (e.g., awarning tick), indicating that all of the features mapped to the datamodel are un-deployed in a current deployment of the correspondingapplication. For example, in the illustrated embodiment, the data modelstatus indicator 332 for each of the “Network_Sessions” data model andthe “Ticket Management” data model include warning ticks indicating thatthe features mapped to the respective data models are un-deployed in thecurrent deployment of the corresponding ES application. Further, in theillustrated embodiment, the data model status indicator 332 for each ofthe other data models displayed (e.g., the “Application_state” datamodel, the “Authentication” data model, and so forth) include OK ticksindicating that some or all of the features mapped to the respectivedata models are deployed the current deployment of the corresponding ESapplication.

Referring again to method 250 of FIG. 2B, method 200 may includedisplaying a data model deployment profile GUI (block 260) in responseto selection of a data model (block 258). For example, each of the datamodels 330 of the interactive listing of data models 314 may beinteractive elements that are user selectable to navigate to a datamodel deployment profile. FIG. 3C illustrates an example in which the“Authentication” data model 330 has been selected to expand the elementto display a corresponding data model deployment profile GUI 340 inaccordance with the disclosed embodiments. In some embodiments, thedeployment profile GUI 340 includes a listing of the features of theapplication mapped to the data model 330. In some embodiments, thefeatures may be grouped based on one or more shared characteristics,such as their type (e.g., search, panel, and/or the like), groupingsthey are associated with (e.g., DA-ESS-AccessProtection. DA-ESS-IdentityManagement, and/or the like). In the illustrated embodiment, thedeployment profile GUI 340 includes a listing that includes features 342of “Access—Access Over Time”, “Access—Access Over Time by Action”, andso forth. In some embodiments, a user can scroll down to see all of thefeatures for a data model 330 if they are not immediately visible in thedeployment profile GUI 340. As described herein, each of the features342 may be associated with input data and/or a data source. For example,the “Access—Access Over Time” feature may be associated with access datareceived, for example, from individual user computer data sources 122.

Notably, the “Authentication” data model is a deployed data model. Insome embodiments, a data model deployment profile GUI 340 for anun-deployed data model 300, such as “Network_Sessions” data model mayinclude additional information, such as content that indicatesconditions or provides suggestions for deploying one or more of thefeatures of the data model 300. FIG. 3D illustrates an example in whichthe “Network_Sessions” data model 330 has been selected to display acorresponding data model deployment profile GUI 340 in accordance withthe disclosed embodiments.

In some embodiments, un-deployed features 342 can be accompanied bydeployment content 344. The deployment content 344 can includeinformation (e.g., conditions or suggestions) that indicates one moreways to deploy the currently un-deployed feature 342. The deploymentcontent 344 can include, for example, content or links to content thatprovides instructions for configuring the application to intake datarelied on by the un-deployed feature, installing an application tointake data relied on by the un-deployed feature, purchasing additionalsoftware or hardware needed to intake data relied on by the un-deployedfeature, configuring hardware for the data source such that it canprovide the data relied on by the un-deployed feature, and/or the like.The conditions or suggestions for deploying an un-deployed feature canbe determined, for example, based on the feature-data source mapping 156as described above with regard to at least block 208 of method 200.

In the illustrated embodiment, the “Sessions—Network Session Details”may be an un-deployed feature 342 of the Network Sessions data model330. It may be determined that the Sessions—Network Session Detailsfeature 342 uses session data to populate corresponding contentdisplayed by the feature (e.g., as described above with regard to atleast block 208 of method 200). Accordingly, the feature 342 may beaccompanied by deployment content 344 that includes a statement of“Deploy Feature→Provide Session Data”, thereby indicating to the user108 that, to deploy the feature 342, they should to configure the system102 to intake session data, or otherwise provide session data for use bythe feature 342. As described herein, the deployment content can includeany content, or even a link to content, that can assist the user 108 indeploying the feature 342. For example, if it is determined that sessiondata is can be obtained from SGD servers, the deployment content 344 mayinclude a corresponding description (e.g., “You can obtain session datafrom SGD servers), a link to instructions for configuring theapplication 140 to intake session data from SGD servers, a link to a anadd-on application that can be installed with the application 140 toenable the application 140 to intake session data from SGD servers, alink to sites for purchasing or otherwise obtaining software and/orhardware that can be used to configure the application 140 to intakesession data from SGD servers, and/or the like. Thus, the deploymentcontent 344 can include conditions or suggestions that indicate one ormore courses of action that can be taken to deploy the feature 342.

Referring again to method 250 of FIG. 2B, method 250 may includedisplaying a feature configuration GUI (block 264) in response toselection of a feature (block 262). For example, each of the features342 of data model deployment profile GUI 340 may include a link that isuser selectable to navigate to a corresponding feature configurationGUI. A feature configuration GUI for a feature 342 may enable the user108 to review and/or edit the configuration of the feature 342. FIG. 3Eillustrates an example feature configuration GUI 360 in accordance withthe disclosed embodiment. The illustrated feature configuration GUI 360may be displayed in response to a user selecting the Sessions—NetworkSession Details feature 342 feature 342 of the Network_Sessions datamodel deployment profile GUI 340 of FIG. 3D. The illustrated featureconfiguration GUI 360 may include a feature configuration GUI 360 forthe Sessions—Network Session Details feature 342. Such a featureconfiguration GUI 360 for the Sessions—Network Session Details feature342 may be displayed, for example, in response to the user 108 selectingthe Sessions—Network Session Details feature 342 of the expanded datamodel deployment profile GUI 340 for the Network Sessions data model 300illustrated in FIG. 3D. The feature configuration GUI 360 may providevarious information about the feature 342, such as the title, availableaction (e.g., open in search, edit, and/or the like), an owner, anapplication (or group) that the feature is associated with, and/or thelike. In some embodiments, selection of the title may enable the user todrill-down to obtain further details about the feature, such as anexpanded view for reviewing or editing the underlying search used tofind the data used to populate the feature 342. Thus, a user 108 may beable to easily navigate to a GUI for reviewing and editing a feature 342by simply selecting the feature 342 in the data model deployment profileGUI 340.

If a selection or other request is made to exit the deployment profileoverview GUI 310 (block 266) (e.g., by selecting the “EnterpriseSecurity” link in the upper right hand corner of the screen), the method250 may return to displaying the application management GUI 300 (block252).

FIG. 4 is a diagram that illustrates an example computer system 1000 inaccordance with one or more embodiments. In some embodiments, thecomputer system 1000 may include a memory 1004, a processor 1006, and aninput/output (I/O) interface 1008. The memory 1004 may includenon-volatile memory (e.g., flash memory, read-only memory (ROM),programmable read-only memory (PROM), erasable programmable read-onlymemory (EPROM), electrically erasable programmable read-only memory(EEPROM)), volatile memory (e.g., random access memory (RAM), staticrandom access memory (SRAM), synchronous dynamic RAM (SDRAM)), bulkstorage memory (e.g., CD-ROM and/or DVD-ROM, hard drives), and/or thelike. The memory 1004 may include a non-transitory computer-readablestorage medium having program instructions 1010 stored therein. Theprogram instructions 1010 may include program modules 1012 that areexecutable by a computer processor (e.g., the processor 1006) to causethe functional operations described herein, including, for example, oneor more of the methods 200 and/or 250. In the context of a computersystem of the client device 106, the program modules 1012 may includeone or more modules for performing some or all of the operationsdescribed with regard to the client device 106. In the context of acomputer system of the application server 110, the program modules 1012may include a one or more modules (e.g., the enterprise applicationmodule 140) for performing some or all of the operations described withregard to the application server 110 and/or the application 140.

The processor 1006 may be any suitable processor capable ofexecuting/performing program instructions. The processor 1006 mayinclude a central processing unit (CPU) that carries out programinstructions (e.g., the program instructions of the program module(s)1012) to perform the arithmetical, logical, and input/output operationsdescribed herein. The processor 1006 may include one or more processors.The I/O interface 1008 may provide an interface for communication withone or more I/O devices 1014, such as a joystick, a computer mouse, akeyboard, a display screen (e.g., an electronic display for displaying agraphical user interface (GUI)), and/or the like. The I/O devices 1014may include one or more of the user input devices. The I/O devices 1014may be connected to the I/O interface 1008 via a wired or a wirelessconnection. The I/O interface 1008 may provide an interface forcommunication with one or more external devices 1016, such as othercomputers, networks, and/or the like. In some embodiments, the I/Ointerface 1008 may include an antenna, transceiver, and/or the like.

Accordingly, provided in some embodiments are systems and methods forindicating deployment of application features. As described herein, insome embodiments, an application can include one or more availablefeatures that can be deployed, a determination can be made as to whichof the available features are deployed or un-deployed in a currentdeployment of the application, and an indication of the un-deployedand/or un-deployed features can be provided, for example, via aninteractive deployment completeness GUI including an interactivedashboard. Such indications may enable a user to easily determine, forexample, what features are and are not properly setup for use in theapplication in view of how the application is currently configured. Insome embodiments, the features can employ machine-generated data andsearches of the data that employ a late binding schema. For example, thefeatures can include visualizations (e.g., metrics, graphs, and/or thelike) or other objects that are based on underlying data contained inevents of machine-generated data. A feature that indicates unsuccessfuluser log-on attempts may employ an underlying search ofmachine-generated data for events generated by authentication serversthat indicate unsuccessful user log-on attempts, and can use thoseevents to determine a metric, such as a number unsuccessful log-onattempts in the last 24 hours, that is displayed to a user by thefeature. Such a search may employ, for example, a late-binding schema toidentify one or more event records of a set of indexed event recordsthat each include a portion of raw-machine-generated data and are eachtime-stamped or otherwise associated with a particular time. At leastthe following sections describe an example data system that may employthe described embodiments, including employing one or more searches ofmachine-generated data that can be employed in conjunction with theabove described techniques.

1.1 Overview of Example Performance Data System

Modern data centers often comprise thousands of host computer systemsthat operate collectively to service requests from even larger numbersof remote clients. During operation, these data centers generatesignificant volumes of performance data and diagnostic information thatcan be analyzed to quickly diagnose performance problems. In order toreduce the size of this performance data, the data is typicallypre-processed prior to being stored based on anticipated data-analysisneeds. For example, pre-specified data items can be extracted from theperformance data and stored in a database to facilitate efficientretrieval and analysis at search time. However, the rest of theperformance data is not saved and is essentially discarded duringpre-processing. As storage capacity becomes progressively cheaper andmore plentiful, there are fewer incentives to discard this performancedata and many reasons to keep it.

This plentiful storage capacity is presently making it feasible to storemassive quantities of minimally processed performance data at “ingestiontime” for later retrieval and analysis at “search time.” Note thatperforming the analysis operations at search time provides greaterflexibility because it enables an analyst to search all of theperformance data, instead of searching pre-specified data items thatwere stored at ingestion time. This enables the analyst to investigatedifferent aspects of the performance data instead of being confined tothe pre-specified set of data items that were selected at ingestiontime.

However, analyzing massive quantities of heterogeneous performance dataat search time can be a challenging task. A data center may generateheterogeneous performance data from thousands of different components,which can collectively generate tremendous volumes of performance datathat can be time-consuming to analyze. For example, this performancedata can include data from system logs, network packet data, sensordata, and data generated by various applications. Also, the unstructurednature of much of this performance data can pose additional challengesbecause of the difficulty of applying semantic meaning to unstructureddata, and the difficulty of indexing and querying unstructured datausing traditional database systems.

These challenges can be addressed by using an event-based system, suchas the SPLUNK® ENTERPRISE system produced by Splunk Inc. of SanFrancisco, Calif., to store and process performance data. The SPLUNK®ENTERPRISE system is the leading platform for providing real-timeoperational intelligence that enables organizations to collect, index,and harness machine-generated data from various websites, applications,servers, networks, and mobile devices that power their businesses. TheSPLUNK® ENTERPRISE system is particularly useful for analyzingunstructured performance data, which is commonly found in system logfiles. Although many of the techniques described herein are explainedwith reference to the SPLUNK® ENTERPRISE system, the techniques are alsoapplicable to other types of data server systems.

In the SPLUNK® ENTERPRISE system, performance data is stored as“events,” wherein each event comprises a collection of performance dataand/or diagnostic information that is generated by a computer system andis correlated with a specific point in time. Events can be derived from“time series data,” wherein time series data comprises a sequence ofdata points (e.g., performance measurements from a computer system) thatare associated with successive points in time and are typically spacedat uniform time intervals. Events can also be derived from “structured”or “unstructured” data. Structured data has a predefined format, whereinspecific data items with specific data formats reside at predefinedlocations in the data. For example, structured data can include dataitems stored in fields in a database table. In contrast, unstructureddata does not have a predefined format. This means that unstructureddata can comprise various data items having different data types thatcan reside at different locations. For example, when the data source isan operating system log, an event can include one or more lines from theoperating system log containing raw data that can include differenttypes of performance and diagnostic information associated with aspecific point in time. Examples of data sources from which an event maybe derived include, but are not limited to: web servers; applicationservers; databases; firewalls; routers; operating systems; and softwareapplications that execute on computer systems, mobile devices, andsensors. The data generated by such data sources can be produced invarious forms including, for example and without limitation, server logfiles, activity log files, configuration files, messages, network packetdata, performance measurements, and sensor measurements. An eventtypically includes a timestamp that may be derived from the raw data inthe event, or may be determined through interpolation between temporallyproximate events having known timestamps.

The SPLUNK® ENTERPRISE system also facilitates using a flexible schemato specify how to extract information from the event data, wherein theflexible schema may be developed and redefined as needed. Note that aflexible schema may be applied to event data “on the fly,” when it isneeded (e.g., at search time), rather than at ingestion time of the dataas in traditional database systems. Because the schema is not applied toevent data until it is needed (e.g., at search time), it is referred toas a “late-binding schema.”

During operation, the SPLUNK® ENTERPRISE system starts with raw data,which can include unstructured data, machine data, performancemeasurements or other time-series data, such as data obtained fromweblogs, syslogs, or sensor readings. It divides this raw data into“portions,” and optionally transforms the data to produce timestampedevents. The system stores the timestamped events in a data store, andenables a user to run queries against the data store to retrieve eventsthat meet specified criteria, such as containing certain keywords orhaving specific values in defined fields. Note that the term “field”refers to a location in the event data containing a value for a specificdata item.

As noted above, the SPLUNK® ENTERPRISE system facilitates using alate-binding schema while performing queries on events. A late-bindingschema specifies “extraction rules” that are applied to data in theevents to extract values for specific fields. More specifically, theextraction rules for a field can include one or more instructions thatspecify how to extract a value for the field from the event data. Anextraction rule can generally include any type of instruction forextracting values from data in events. In some cases, an extraction rulecomprises a regular expression, in which case the rule is referred to asa “regex rule.”

In contrast to a conventional schema for a database system, alate-binding schema is not defined at data ingestion time. Instead, thelate-binding schema can be developed on an ongoing basis until the timea query is actually executed. This means that extraction rules for thefields in a query may be provided in the query itself, or may be locatedduring execution of the query. Hence, as an analyst learns more aboutthe data in the events, the analyst can continue to refine thelate-binding schema by adding new fields, deleting fields, or changingthe field extraction rules until the next time the schema is used by aquery. Because the SPLUNK® ENTERPRISE system maintains the underlyingraw data and provides a late-binding schema for searching the raw data,it enables an analyst to investigate questions that arise as the analystlearns more about the events.

In the SPLUNK® ENTERPRISE system, a field extractor may be configured toautomatically generate extraction rules for certain fields in the eventswhen the events are being created, indexed, or stored, or possibly at alater time. Alternatively, a user may manually define extraction rulesfor fields using a variety of techniques.

Also, a number of “default fields” that specify metadata about theevents rather than data in the events themselves can be createdautomatically. For example, such default fields can specify: a timestampfor the event data; a host from which the event data originated; asource of the event data; and a source type for the event data. Thesedefault fields may be determined automatically when the events arecreated, indexed or stored.

In some embodiments, a common field name may be used to reference two ormore fields containing equivalent data items, even though the fields maybe associated with different types of events that possibly havedifferent data formats and different extraction rules. By enabling acommon field name to be used to identify equivalent fields fromdifferent types of events generated by different data sources, thesystem facilitates use of a “common information model” (CIM) across thedifferent data sources.

1.2 Data Server System

FIG. 5 presents a block diagram of an exemplary event-processing system1100, similar to the SPLUNK® ENTERPRISE system. System 1100 includes oneor more forwarders 1101 that collect data obtained from a variety ofdifferent data sources 1105, and one or more indexers 1102 that store,process, and/or perform operations on this data, wherein each indexeroperates on data contained in a specific data store 1103. Theseforwarders and indexers can comprise separate computer systems in a datacenter, or may alternatively comprise separate processes executing onvarious computer systems in a data center.

During operation, the forwarders 1101 identify which indexers 1102 willreceive the collected data and then forward the data to the identifiedindexers. Forwarders 1101 can also perform operations to strip outextraneous data and detect timestamps in the data. The forwarders 1101next determine which indexers 1102 will receive each data item and thenforward the data items to the determined indexers 1102.

Note that distributing data across different indexers facilitatesparallel processing. This parallel processing can take place at dataingestion time, because multiple indexers can process the incoming datain parallel. The parallel processing can also take place at search time,because multiple indexers can search through the data in parallel.

System 1100 and the processes described below with respect to FIGS. 5-9are further described in “Exploring Splunk Search Processing Language(SPL) Primer and Cookbook” by David Carasso, CITO Research, 2012, and in“Optimizing Data Analysis With a Semi-Structured Time Series Database”by Ledion Bitincka, Archana Ganapathi, Stephen Sorkin, and Steve Zhang,SLAML, 2010, each of which is hereby incorporated herein by reference inits entirety for all purposes.

1.3 Data Ingestion

FIG. 6 presents a flowchart illustrating how an indexer processes,indexes, and stores data received from forwarders in accordance with thedisclosed embodiments. At block 1201, the indexer receives the data fromthe forwarder. Next, at block 1202, the indexer apportions the data intoevents. Note that the data can include lines of text that are separatedby carriage returns or line breaks, and an event may include one or moreof these lines. During the apportioning process, the indexer can useheuristic rules to automatically determine the boundaries of the events,which for example coincide with line boundaries. These heuristic rulesmay be determined based on the source of the data, wherein the indexercan be explicitly informed about the source of the data or can infer thesource of the data by examining the data. These heuristic rules caninclude regular expression-based rules or delimiter-based rules fordetermining event boundaries, wherein the event boundaries may beindicated by predefined characters or character strings. Thesepredefined characters may include punctuation marks or other specialcharacters including, for example, carriage returns, tabs, spaces, orline breaks. In some cases, a user can fine-tune or configure the rulesthat the indexers use to determine event boundaries in order to adaptthe rules to the user's specific requirements.

Next, the indexer determines a timestamp for each event at block 1203.As mentioned above, these timestamps can be determined by extracting thetime directly from the data in the event, or by interpolating the timebased on timestamps from temporally proximate events. In some cases, atimestamp can be determined based on the time the data was received orgenerated. The indexer subsequently associates the determined timestampwith each event at block 1204, for example, by storing the timestamp asmetadata for each event.

Then, the system can apply transformations to data to be included inevents at block 1205. For log data, such transformations can includeremoving a portion of an event (e.g., a portion used to define eventboundaries, extraneous text, characters, etc.) or removing redundantportions of an event. Note that a user can specify portions to beremoved using a regular expression or any other possible technique.

Next, a keyword index can optionally be generated to facilitate fastkeyword searching for events. To build a keyword index, the indexerfirst identifies a set of keywords in events in block 1206. Then, atblock 1207 the indexer includes the identified keywords in an index,which associates each stored keyword with references to eventscontaining that keyword (or to locations within events where thatkeyword is located). When an indexer subsequently receives akeyword-based query, the indexer can access the keyword index to quicklyidentify events containing the keyword.

In some embodiments, the keyword index may include entries forname-value pairs found in events, wherein a name-value pair can includea pair of keywords connected by a symbol, such as an equals sign or acolon. In this way, events containing these name-value pairs can bequickly located. In some embodiments, fields can automatically begenerated for some or all of the name-value pairs at the time ofindexing. For example, if the string “dest=−10.0.1.2” is found in anevent, a field named “dest” may be created for the event, and assigned avalue of “10.0.1.2.”

Finally, the indexer stores the events in a data store at block 1208,wherein a timestamp can be stored with each event to facilitatesearching for events based on a time range. In some cases, the storedevents are organized into a plurality of buckets, wherein each bucketstores events associated with a specific time range. This not onlyimproves time-based searches, but it also allows events with recenttimestamps that may have a higher likelihood of being accessed to bestored in faster memory to facilitate faster retrieval. For example, abucket containing the most recent events can be stored as flash memoryinstead of on hard disk.

Each indexer 1102 is responsible for storing and searching a subset ofthe events contained in a corresponding data store 1103. By distributingevents among the indexers and data stores, the indexers can analyzeevents for a query in parallel, for example, using map-reducetechniques, wherein each indexer returns partial responses for a subsetof events to a search head that combines the results to produce ananswer for the query. By storing events in buckets for specific timeranges, an indexer may further optimize searching by looking only inbuckets for time ranges that are relevant to a query.

Moreover, events and buckets can also be replicated across differentindexers and data stores to facilitate high availability and disasterrecovery as is described in U.S. patent application Ser. No. 14/266,812filed on Apr. 30, 2014, and in U.S. patent application Ser. No.14/266,817 also filed on Apr. 30, 2014, which are hereby incorporated byreference.

1.4 Query Processing

FIG. 7 presents a flowchart illustrating how a search head and indexersperform a search query in accordance with the disclosed embodiments. Atthe start of this process, a search head receives a search query from aclient at block 1301. Next, at block 1302, the search head analyzes thesearch query to determine what portions can be delegated to indexers andwhat portions need to be executed locally by the search head. At block1303, the search head distributes the determined portions of the queryto the indexers. Note that commands that operate on single events can betrivially delegated to the indexers, while commands that involve eventsfrom multiple indexers are harder to delegate.

Then, at block 1304, the indexers to which the query was distributedsearch their data stores for events that are responsive to the query. Todetermine which events are responsive to the query, the indexer searchesfor events that match the criteria specified in the query. This criteriacan include matching keywords or specific values for certain fields. Ina query that uses a late-binding schema, the searching operations inblock 1304 may involve using the late-binding scheme to extract valuesfor specified fields from events at the time the query is processed.Next, the indexers can either send the relevant events back to thesearch head, or use the events to calculate a partial result, and sendthe partial result back to the search head.

Finally, at block 1305, the search head combines the partial resultsand/or events received from the indexers to produce a final result forthe query. This final result can comprise different types of datadepending upon what the query is asking for. For example, the finalresults can include a listing of matching events returned by the query,or some type of visualization of data from the returned events. Inanother example, the final result can include one or more calculatedvalues derived from the matching events.

Moreover, the results generated by the system 1100 can be returned to aclient using different techniques. For example, one technique streamsresults back to a client in real-time as they are identified. Anothertechnique waits to report results to the client until a complete set ofresults is ready to return to the client. Yet another technique streamsinterim results back to the client in real-time until a complete set ofresults is ready, and then returns the complete set of results to theclient. In another technique, certain results are stored as “searchjobs,” and the client may subsequently retrieve the results byreferencing the search jobs.

The search head can also perform various operations to make the searchmore efficient. For example, before the search head starts executing aquery, the search head can determine a time range for the query and aset of common keywords that all matching events must include. Next, thesearch head can use these settings to query the indexers to obtain asuperset of the eventual results. Then, during a filtering stage, thesearch head can perform field-extraction operations on the superset toproduce a reduced set of search results.

1.5 Field Extraction

FIG. 8 presents a block diagram illustrating how fields can be extractedduring query processing in accordance with the disclosed embodiments. Atthe start of this process, a search query 1402 is received at a queryprocessor 1404. Query processor 1404 includes various mechanisms forprocessing a query, wherein these mechanisms can reside in a search head1104 and/or an indexer 1102. Note that the exemplary search query 1402illustrated in FIG. 8 is expressed in Search Processing Language (SPL),which is used in conjunction with the SPLUNK® ENTERPRISE system. SPL isa pipelined search language in which a set of inputs is operated on by afirst command in a command line, and then a subsequent command followingthe pipe symbol “|” operates on the results produced by the firstcommand, and so on for additional commands. Search query 1402 can alsobe expressed in other query languages, such as the Structured QueryLanguage (SQL) or any suitable query language.

Upon receiving search query 1402, query processor 1404 sees that searchquery 1402 includes two fields “IP” and “target.” Query processor 1404also determines that the values for the “IP” and “target” fields havenot already been extracted from events in data store 1414, andconsequently determines that query processor 1404 needs to useextraction rules to extract values for the fields. Hence, queryprocessor 1404 performs a lookup for the extraction rules in a rule base1406, wherein the rule base 1406 maps field names to correspondingextraction rules and obtains extraction rules 1408-1409, whereinextraction rule 1408 specifies how to extract a value for the “IP” fieldfrom an event, and extraction rule 1409 specifies how to extract a valuefor the “target” field from an event. As is illustrated in FIG. 8,extraction rules 1408-1409 can comprise regular expressions that specifyhow to extract values for the relevant fields. Suchregular-expression-based extraction rules are also referred to as “regexrules.” In addition to specifying how to extract field values, theextraction rules may also include instructions for deriving a fieldvalue by performing a function on a character string or a valueretrieved by the extraction rule. For example, a transformation rule maytruncate a character string, or convert the character string into adifferent data format. In some cases, the query itself can specify oneor more extraction rules.

Next, query processor 1404 sends extraction rules 1408-1409 to a fieldextractor 1412, which applies extraction rules 1408-1409 to events1416-1418 in a data store 1414. Note that data store 1414 can includeone or more data stores, and extraction rules 1408-1409 can be appliedto large numbers of events in data store 1414, and are not meant to belimited to the three events 1416-1418 illustrated in FIG. 8. Moreover,the query processor 1404 can instruct field extractor 1412 to apply theextraction rules to all of the events in a data store 1414, or to asubset of the events that have been filtered based on some criteria.

Next, field extractor 1412 applies extraction rule 1408 for the firstcommand “Search IP=“10*” to events in data store 1414 including events1416-1418. Extraction rule 1408 is used to extract values for the IPaddress field from events in data store 1414 by looking for a pattern ofone or more digits, followed by a period, followed again by one or moredigits, followed by another period, followed again by one or moredigits, followed by another period, and followed again by one or moredigits. Next, field extractor 1412 returns field values 1420 to queryprocessor 1404, which uses the criterion IP=“10*” to look for IPaddresses that start with “10”. Note that events 1416 and 1417 matchthis criterion, but event 1418 does not, so the result set for the firstcommand is events 1416-1417.

Query processor 1404 then sends events 1416-1417 to the next command“stats count target.” To process this command, query processor 1404causes field extractor 1412 to apply extraction rule 1409 to events1416-1417. Extraction rule 1409 is used to extract values for the targetfield for events 1416-1417 by skipping the first four commas in events1416-1417, and then extracting all of the following characters until acomma or period is reached. Next, field extractor 1412 returns fieldvalues 1421 to query processor 1404, which executes the command “statscount target” to count the number of unique values contained in thetarget fields, which in this example produces the value “2” that isreturned as a final result 1422 for the query.

Note that the query results can be returned to a client, a search head,or any other system component for further processing. In general, queryresults may include: a set of one or more events; a set of one or morevalues obtained from the events; a subset of the values; statisticscalculated based on the values; a report containing the values; or avisualization, such as a graph or a chart, generated from the values.

1.6 Exemplary Search Screen

FIG. 10A illustrates an exemplary search screen 1600 in accordance withthe disclosed embodiments. Search screen 1600 includes a search bar 1602that accepts user input in the form of a search string. It also includesa time range picker 1612 that enables the user to specify a time rangefor the search. For “historical searches,” the user can select aspecific time range, or alternatively a relative time range, such as“today,” “yesterday,” or “last week.” For “real-time searches,” the usercan select the size of a preceding time window to search for real-timeevents. Search screen 1600 also initially displays a “data summary”dialog as is illustrated in FIG. 10B that enables the user to selectdifferent sources for the event data, for example, by selecting specifichosts and log files.

After the search is executed, the search screen 1600 can display theresults through search results tabs 1604, wherein search results tabs1604 include: an “events tab” that displays various information aboutevents returned by the search; a “statistics tab” that displaysstatistics about the search results; and a “visualization tab” thatdisplays various visualizations of the search results. The events tabillustrated in FIG. 10A displays a timeline graph 1605 that graphicallyillustrates the number of events that occurred in one-hour intervalsover the selected time range. It also displays an events list 1608 thatenables a user to view the raw data in each of the returned events. Itadditionally displays a fields sidebar 1606 that includes statisticsabout occurrences of specific fields in the returned events, including“selected fields” that are pre-selected by the user, and “interestingfields” that are automatically selected by the system based onpre-specified criteria.

1.7 Acceleration Techniques

The above-described system provides significant flexibility by enablinga user to analyze massive quantities of minimally processed performancedata “on the fly” at search time instead of storing pre-specifiedportions of the performance data in a database at ingestion time. Thisflexibility enables a user to see correlations in the performance dataand perform subsequent queries to examine interesting aspects of theperformance data that may not have been apparent at ingestion time.

However, performing extraction and analysis operations at search timecan involve a large amount of data and require a large number ofcomputational operations, which can cause considerable delays whileprocessing the queries. Fortunately, a number of acceleration techniqueshave been developed to speed up analysis operations performed at searchtime. These techniques include: (1) performing search operations inparallel by formulating a search as a map-reduce computation; (2) usinga keyword index; (3) using a high performance analytics store; and (4)accelerating the process of generating reports. These techniques aredescribed in more detail below.

1.7.1 Map-Reduce Technique

To facilitate faster query processing, a query can be structured as amap-reduce computation, wherein the “map” operations are delegated tothe indexers, while the corresponding “reduce” operations are performedlocally at the search head. For example, FIG. 9 illustrates how a searchquery 1501 received from a client at search head 1104 can split into twophases, including: (1) a “map phase” comprising subtasks 1502 (e.g.,data retrieval or simple filtering) that may be performed in paralleland are “mapped” to indexers 1102 for execution, and (2) a “reducephase” comprising a merging operation 1503 to be executed by the searchhead when the results are ultimately collected from the indexers.

During operation, upon receiving search query 1501, search head 1104modifies search query 1501 by substituting “stats” with “prestats” toproduce search query 1502, and then distributes search query 1502 to oneor more distributed indexers, which are also referred to as “searchpeers.” Note that search queries may generally specify search criteriaor operations to be performed on events that meet the search criteria.Search queries may also specify field names, as well as search criteriafor the values in the fields or operations to be performed on the valuesin the fields. Moreover, the search head may distribute the full searchquery to the search peers as is illustrated in FIG. 5, or mayalternatively distribute a modified version (e.g., a more restrictedversion) of the search query to the search peers. In this example, theindexers are responsible for producing the results and sending them tothe search head. After the indexers return the results to the searchhead, the search head performs the merging operations 1503 on theresults. Note that by executing the computation in this way, the systemeffectively distributes the computational operations while minimizingdata transfers.

1.7.2 Keyword Index

As described above with reference to the flowcharts in FIGS. 6 and 7,the event-processing system 1100 can construct and maintain one or morekeyword indices to facilitate rapidly identifying events containingspecific keywords. This can greatly speed up the processing of queriesinvolving specific keywords. As mentioned above, to build a keywordindex, an indexer first identifies a set of keywords. Then, the indexerincludes the identified keywords in an index, which associates eachstored keyword with references to events containing that keyword, or tolocations within events where that keyword is located. When an indexersubsequently receives a keyword-based query, the indexer can access thekeyword index to quickly identify events containing the keyword.

1.7.3 High Performance Analytics Store

To speed up certain types of queries, some embodiments of the system1100 make use of a high performance analytics store, which is referredto as a “summarization table,” that contains entries for specificfield-value pairs. Each of these entries keeps track of instances of aspecific value in a specific field in the event data and includesreferences to events containing the specific value in the specificfield. For example, an exemplary entry in a summarization table can keeptrack of occurrences of the value “94107” in a “ZIP code” field of a setof events, wherein the entry includes references to all of the eventsthat contain the value “94107” in the ZIP code field. This enables thesystem to quickly process queries that seek to determine how many eventshave a particular value for a particular field, because the system canexamine the entry in the summarization table to count instances of thespecific value in the field without having to go through the individualevents or do extractions at search time. Also, if the system needs toprocess all events that have a specific field-value combination, thesystem can use the references in the summarization table entry todirectly access the events to extract further information without havingto search all of the events to find the specific field-value combinationat search time.

In some embodiments, the system maintains a separate summarization tablefor each of the above-described time-specific buckets that stores eventsfor a specific time range, wherein a bucket-specific summarization tableincludes entries for specific field-value combinations that occur inevents in the specific bucket. Alternatively, the system can maintain aseparate summarization table for each indexer, wherein theindexer-specific summarization table only includes entries for theevents in a data store that is managed by the specific indexer.

The summarization table can be populated by running a “collection query”that scans a set of events to find instances of a specific field-valuecombination, or alternatively instances of all field-value combinationsfor a specific field. A collection query can be initiated by a user, orcan be scheduled to occur automatically at specific time intervals. Acollection query can also be automatically launched in response to aquery that asks for a specific field-value combination.

In some cases, the summarization tables may not cover all of the eventsthat are relevant to a query. In this case, the system can use thesummarization tables to obtain partial results for the events that arecovered by summarization tables, but may also have to search throughother events that are not covered by the summarization tables to produceadditional results. These additional results can then be combined withthe partial results to produce a final set of results for the query.This summarization table and associated techniques are described in moredetail in U.S. Pat. No. 8,682,925, issued on Mar. 25, 2014, which ishereby incorporated by reference.

1.7.4 Accelerating Report Generation

In some embodiments, a data server system such as the SPLUNK® ENTERPRISEsystem can accelerate the process of periodically generating updatedreports based on query results. To accelerate this process, asummarization engine automatically examines the query to determinewhether the generation of updated reports can be accelerated by creatingintermediate summaries. (This is possible if results from preceding timeperiods can be computed separately and combined to generate an updatedreport. In some cases, it is not possible to combine such incrementalresults, for example, where a value in the report depends onrelationships between events from different time periods.) If reportscan be accelerated, the summarization engine periodically generates asummary covering data obtained during a latest non-overlapping timeperiod. For example, where the query seeks events meeting a specifiedcriteria, a summary for the time period includes only events within thetime period that meet the specified criteria. Similarly, if the queryseeks statistics calculated from the events, such as the number ofevents that match the specified criteria, then the summary for the timeperiod includes the number of events in the period that matches thespecified criteria.

In parallel with the creation of the summaries, the summarization engineschedules the periodic updating of the report associated with the query.During each scheduled report update, the query engine determines whetherintermediate summaries have been generated covering portions of the timeperiod covered by the report update. If so, then the report is generatedbased on the information contained in the summaries. Also, if additionalevent data has been received and has not yet been summarized, and isrequired to generate the complete report, the query can be run on thisadditional event data. Then, the results returned by this query on theadditional event data, along with the partial results obtained from theintermediate summaries, can be combined to generate the updated report.This process is repeated each time the report is updated. Alternatively,if the system stores events in buckets covering specific time ranges,then the summaries can be generated on a bucket-by-bucket basis. Notethat producing intermediate summaries can save the work involved inre-running the query for previous time periods, so only the newer eventdata needs to be processed while generating an updated report. Thesereport acceleration techniques are described in more detail in U.S. Pat.No. 8,589,403, issued on Nov. 19, 2013, and U.S. Pat. No. 8,412,696,issued on Apr. 2, 2011, which are hereby incorporated by reference.

1.8 Security Features

The SPLUNK® ENTERPRISE platform provides various schemas, dashboards,and visualizations that make it easy for developers to createapplications to provide additional capabilities. One such application isthe SPLUNK® APP FOR ENTERPRISE SECURITY, which performs monitoring andalerting operations and includes analytics to facilitate identifyingboth known and unknown security threats based on large volumes of datastored by the SPLUNK® ENTERPRISE system. This differs significantly fromconventional Security Information and Event Management (SIEM) systemsthat lack the infrastructure to effectively store and analyze largevolumes of security-related event data. Traditional SIEM systemstypically use fixed schemas to extract data from pre-definedsecurity-related fields at data ingestion time, wherein the extracteddata is typically stored in a relational database. This data extractionprocess (and associated reduction in data size) that occurs at dataingestion time inevitably hampers future incident investigations, whenall of the original data may be needed to determine the root cause of asecurity issue, or to detect the tiny fingerprints of an impendingsecurity threat.

In contrast, the SPLUNK® APP FOR ENTERPRISE SECURITY system stores largevolumes of minimally processed security-related data at ingestion timefor later retrieval and analysis at search time when a live securitythreat is being investigated. To facilitate this data retrieval process,the SPLUNK® APP FOR ENTERPRISE SECURITY provides pre-specified schemasfor extracting relevant values from the different types ofsecurity-related event data, and also enables a user to define suchschemas.

The SPLUNK® APP FOR ENTERPRISE SECURITY can process many types ofsecurity-related information. In general, this security-relatedinformation can include any information that can be used to identifysecurity threats. For example, the security-related information caninclude network-related information, such as IP addresses, domain names,asset identifiers, network traffic volumes, uniform resource locatorstrings, and source addresses. The process of detecting security threatsfor network-related information is further described in U.S. patentapplication Ser. Nos. 13/956,252, and 13/956,262, which are herebyincorporated by reference. Security-related information can also includeendpoint information, such as malware infection data and systemconfiguration information, as well as access control information, suchas login/logout information and access failure notifications. Thesecurity-related information can originate from various sources within adata center, such as hosts, virtual machines, storage devices andsensors. The security-related information can also originate fromvarious sources in a network, such as routers, switches, email servers,proxy servers, gateways, firewalls and intrusion-detection systems.

During operation, the SPLUNK® APP FOR ENTERPRISE SECURITY facilitatesdetecting so-called “notable events” that are likely to indicate asecurity threat. These notable events can be detected in a number ofways: (1) an analyst can notice a correlation in the data and canmanually identify a corresponding group of one or more events as“notable;” or (2) an analyst can define a “correlation search”specifying criteria for a notable event, and every time one or moreevents satisfy the criteria, the application can indicate that the oneor more events are notable. An analyst can alternatively select apre-defined correlation search provided by the application. Note thatcorrelation searches can be run continuously or at regular intervals(e.g., every hour) to search for notable events. Upon detection, notableevents can be stored in a dedicated “notable events index,” which can besubsequently accessed to generate various visualizations containingsecurity-related information. Also, alerts can be generated to notifysystem operators when important notable events are discovered.

The SPLUNK® APP FOR ENTERPRISE SECURITY provides various visualizationsto aid in discovering security threats, such as a “key indicators view”that enables a user to view security metrics of interest, such as countsof different types of notable events. For example, FIG. 11A illustratesan exemplary key indicators view 1700 that comprises a dashboard, whichcan display a value 1701, for various security-related metrics, such asmalware infections 1702. It can also display a change in a metric value1703, which indicates that the number of malware infections increased by63 during the preceding interval. Key indicators view 1700 additionallydisplays a histogram panel 1704 that displays a histogram of notableevents organized by urgency values, and a histogram of notable eventsorganized by time intervals. This key indicators view is described infurther detail in pending U.S. patent application Ser. No. 13/956,338filed Jul. 31, 2013, which is hereby incorporated by reference.

These visualizations can also include an “incident review dashboard”that enables a user to view and act on “notable events.” These notableevents can include: (1) a single event of high importance, such as anyactivity from a known web attacker; or (2) multiple events thatcollectively warrant review, such as a large number of authenticationfailures on a host followed by a successful authentication. For example,FIG. 11B illustrates an exemplary incident review dashboard 1710 thatincludes a set of incident attribute fields 1711 that, for example,enables a user to specify a time range field 1712 for the displayedevents. It also includes a timeline 1713 that graphically illustratesthe number of incidents that occurred in one-hour time intervals overthe selected time range. It additionally displays an events list 1714that enables a user to view a list of all of the notable events thatmatch the criteria in the incident attributes fields 1711. To facilitateidentifying patterns among the notable events, each notable event can beassociated with an urgency value (e.g., low, medium, high, critical),which is indicated in the incident review dashboard. The urgency valuefor a detected event can be determined based on the severity of theevent and the priority of the system component associated with theevent. The incident review dashboard is described further in“http://docs.splunk.com/Documentation/PCI/2.1.1/User/IncidentReviewdashboard.”

1.9 Data Center Monitoring

As mentioned above, the SPLUNK® ENTERPRISE platform provides variousfeatures that make it easy for developers to create variousapplications. One such application is the SPLUNK® APP FOR VMWARE®, whichperforms monitoring operations and includes analytics to facilitatediagnosing the root cause of performance problems in a data center basedon large volumes of data stored by the SPLUNK® ENTERPRISE system.

This differs from conventional data-center-monitoring systems that lackthe infrastructure to effectively store and analyze large volumes ofperformance information and log data obtained from the data center. Inconventional data-center-monitoring systems, this performance data istypically pre-processed prior to being stored, for example, byextracting pre-specified data items from the performance data andstoring them in a database to facilitate subsequent retrieval andanalysis at search time. However, the rest of the performance data isnot saved and is essentially discarded during pre-processing. Incontrast, the SPLUNK® APP FOR VMWARE® stores large volumes of minimallyprocessed performance information and log data at ingestion time forlater retrieval and analysis at search time when a live performanceissue is being investigated.

The SPLUNK® APP FOR VMWARE® can process many types ofperformance-related information. In general, this performance-relatedinformation can include any type of performance-related data and logdata produced by virtual machines and host computer systems in a datacenter. In addition to data obtained from various log files, thisperformance-related information can include values for performancemetrics obtained through an application programming interface (API)provided as part of the vSphere Hypervisor™ system distributed byVMware, Inc. of Palo Alto, Calif. For example, these performance metricscan include: (1) CPU-related performance metrics; (2) disk-relatedperformance metrics; (3) memory-related performance metrics; (4)network-related performance metrics; (5) energy-usage statistics; (6)data-traffic-related performance metrics; (7) overall systemavailability performance metrics; (8) cluster-related performancemetrics; and (9) virtual machine performance statistics. For moredetails about such performance metrics, please see U.S. patent Ser. No.14/167,316 filed Jan. 29, 2014, which is hereby incorporated herein byreference. Also, see “vSphere Monitoring and Performance,” Update 1,vSphere 5.5, EN-001357-00,http://pubs.vmware.com/vsphere-55/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-551-monitoring-performance-guide.pdf.

To facilitate retrieving information of interest from performance dataand log files, the SPLUNK® APP FOR VMWARE® provides pre-specifiedschemas for extracting relevant values from different types ofperformance-related event data, and also enables a user to define suchschemas.

The SPLUNK® APP FOR VMWARE® additionally provides various visualizationsto facilitate detecting and diagnosing the root cause of performanceproblems. For example, one such visualization is a “proactive monitoringtree” that enables a user to easily view and understand relationshipsamong various factors that affect the performance of a hierarchicallystructured computing system. This proactive monitoring tree enables auser to easily navigate the hierarchy by selectively expanding nodesrepresenting various entities (e.g., virtual centers or computingclusters) to view performance information for lower-level nodesassociated with lower-level entities (e.g., virtual machines or hostsystems). Exemplary node-expansion operations are illustrated in FIG.11C, wherein nodes 1733 and 1734 are selectively expanded. Note thatnodes 1731-1739 can be displayed using different patterns or colors torepresent different performance states, such as a critical state, awarning state, a normal state, or an unknown/offline state. The ease ofnavigation provided by selective expansion in combination with theassociated performance-state information enables a user to quicklydiagnose the root cause of a performance problem. The proactivemonitoring tree is described in further detail in U.S. patentapplication Ser. No. 14/235,490 filed on Apr. 15, 2014, which is herebyincorporated by reference.

The SPLUNK® APP FOR VMWARE® also provides a user interface that enablesa user to select a specific time range and then view heterogeneous data,comprising events, log data and associated performance metrics, for theselected time range. For example, the screen illustrated in FIG. 11Ddisplays a listing of recent “tasks and events” and a listing of recent“log entries” for a selected time range above a performance-metric graphfor “average CPU core utilization” for the selected time range. Notethat a user is able to operate pull-down menus 1742 to selectivelydisplay different performance metric graphs for the selected time range.This enables the user to correlate trends in the performance-metricgraph with corresponding event and log data to quickly determine theroot cause of a performance problem. This user interface is described inmore detail in U.S. patent application Ser. No. 14/167,316 filed on Jan.29, 2014, which is hereby incorporated by reference.

Further modifications and embodiments of various aspects of thedisclosure will be apparent to those skilled in the art in view of thisdescription. Accordingly, this description is to be construed asillustrative only and is for the purpose of teaching those skilled inthe art the general manner of carrying out the disclosure. It is to beunderstood that the forms of the disclosure shown and described hereinare to be taken as examples of embodiments. Elements and materials maybe substituted for those illustrated and described herein, parts andprocesses may be reversed or omitted, and certain features of thedisclosure may be utilized independently, all as would be apparent toone skilled in the art after having the benefit of this description ofthe disclosure. Changes may be made in the elements described hereinwithout departing from the spirit and scope of the disclosure asdescribed in the following claims. Headings used herein are fororganizational purposes only and are not meant to be used to limit thescope of the description.

It will be appreciated that the methods described are exampleembodiments of methods that may be employed in accordance with thetechniques described herein. The methods may be modified to facilitatevariations of their implementation and use. The order of the methods andthe operations provided therein may be changed, and various elements maybe added, reordered, combined, omitted, modified, etc. Portions of themethods may be implemented in software, hardware, or a combinationthereof. Some or all of the portions of the methods may be implementedby one or more of the processors/modules/applications described herein.

As used throughout this application, the word “may” is used in apermissive sense (i.e., meaning having the potential to), rather thanthe mandatory sense (i.e., meaning must). The words “include,”“including,” and “includes” mean including, but not limited to. As usedthroughout this application, the singular forms “a”, “an,” and “the”include plural referents unless the content clearly indicates otherwise.Thus, for example, reference to “an element” may include a combinationof two or more elements. As used throughout this application, the phrase“based on” does not limit the associated operation to being solely basedon a particular item. Thus, for example, processing “based on” data Amay include processing based at least in part on data A and based atleast in part on data B unless the content clearly indicates otherwise.Unless specifically stated otherwise, as apparent from the discussion,it is appreciated that throughout this specification discussionsutilizing terms such as “processing,” “computing,” “calculating,”“determining,” or the like refer to actions or processes of a specificapparatus, such as a special purpose computer or a similar specialpurpose electronic processing/computing device. In the context of thisspecification, a special purpose computer or a similar special purposeelectronic processing/computing device is capable of manipulating ortransforming signals, typically represented as physical electronic ormagnetic quantities within memories, registers, or other informationstorage devices, transmission devices, or display devices of the specialpurpose computer or similar special purpose electronicprocessing/computing device.

What is claimed is:
 1. A method comprising: determining availablefeatures of an application that is currently deployed on a computingdevice, wherein the available features comprise one or more currentlydeployed features and are configured to receive and usemachine-generated input data from one or more data sources of a datasystem; determining, during a current use of the application, that theavailable features further comprise one or more currently un-deployedfeatures based on a determination, during the current use of theapplication, that a portion of the machine-generated input data that isassociated with the one or more currently un-deployed features not beingavailable to the application based on a configuration of theapplication; and causing display of a deployment graphical userinterface (GUI) that comprises an indication of the currentlyun-deployed features.
 2. The method of claim 1, wherein determining theone or more un-deployed features comprises determining that the one ormore of the available features that is configured to use input data froma data source and for which the application currently deployed is notproperly configured to receive the input data from the data source. 3.The method of claim 1, wherein determining the one or more un-deployedfeatures comprises determining that the one or more of the availablefeatures that is configured to use input data from a data source and forwhich the input data is not received from the data source in theapplication currently deployed.
 4. The method of claim 1, whereindetermining the one or more un-deployed features comprises determiningthat the one or more of the available features that is configured to useinput data from a data source and for which the data source is notproviding the input data in the application currently deployed.
 5. Themethod of claim 1, wherein determining the one or more un-deployedfeatures comprises determining that the one or more of the availablefeatures that is configured to use input data from a data source and forwhich the of the application currently deployed is properly configuredto receive the input data from the data source in the of the applicationand the input data is not received from the data source in the of theapplication.
 6. The method of claim 1, wherein determining the one ormore un-deployed features comprises determining of that the one or moreof the available features that is configured to use input data from adata source and for which and the application currently deployed doesnot include an application to provide the input data from the datasource.
 7. The method of claim 1, further comprising determining that ahardware element for providing the machine-generated input data is notpresent or is not configured to provide the machine-generated inputdata.
 8. The method of claim 1, further comprising determining thathardware of the system in which the application is currently deployeddoes not include a hardware element for receiving or processing themachine-generated input data from the one or more data sources.
 9. Themethod of claim 1, further comprising, for each of the one or moreun-deployed features: determining a condition to deploy the un-deployedfeature, wherein the deployment GUI comprises an indication of thecondition.
 10. The method of claim 1, further comprising, for each ofthe one or more un-deployed features: determining a condition to deploythe un-deployed feature, wherein the deployment GUI comprises, anindication of the condition, and wherein the indication of the conditioncomprises an interactive link that is user selectable to cause thecondition to be condition to be satisfied to deploy the un-deployedfeature or to navigate to a location for satisfying the condition todeploy the un-deployed feature.
 11. The method of claim 1, furthercomprising, for each the one or more un-deployed features: determining acondition to deploy the un-deployed feature, wherein the conditioncomprises linking to a data source, and wherein the deployment GUIcomprises an interactive link that is user selectable to cause thelinking to the data source or to navigate to a location for configuringthe linking to the data source.
 12. The method of claim 1, furthercomprising, for each of the one or more un-deployed features:determining a condition to deploy the un-deployed feature, wherein thecondition comprises installing an application, and wherein thedeployment GUI comprises an interactive link that is user selectable tocause installation of the application or to navigate to a location forinstalling the application.
 13. The method of claim 1 furthercomprising, for each of the one or more un-deployed features:determining a condition to deploy the un-deployed feature, wherein thedeployment GUI comprises an interactive link that is user selectable tonavigate to instructions for satisfying the condition to deploy theun-deployed feature.
 14. The method of claim 1, further comprising, foreach of the one or more un-deployed features: determining a condition todeploy the un-deployed feature, wherein the condition comprises purchaseof an item; and directing a user to a network site for purchasing theitem.
 15. The method of claim 1, further comprising, for each of the oneor more un-deployed features: determining a condition to deploy theun-deployed feature, wherein the condition comprises obtaining an itemfrom a third party; and directing a user to a network site for the thirdparty.
 16. The method of claim 1, further comprising, for each of theone or more un-deployed features: determining a condition to deploy theun-deployed feature, determining the condition is satisfied; and causingdisplay of an updated deployment GUI to that comprises an updatedindication of the un-deployed features, wherein the at least one featureis not included in the updated indication of the un-deployed features.17. The method of claim 1, further comprising: identifying deployedfeatures comprising one or more of the available features that are eachconfigured to use input data from a data source and for which theapplication currently deployed is configured to provide the input datafor use by the feature, wherein the deployment GUI comprises anindication of the deployed features.
 18. The method of claim 1, whereinthe deployment GUI comprises an indication of a number of the one ormore un-deployed features.
 19. The method of claim 1, determiningun-deployed data models, wherein the un-deployed data models eachcomprise a data model that is associated with at least a portion of theone or more of the un-deployed features of the application, and whereinthe deployment GUI comprises a data model deployment status indicatingthe un-deployed data models.
 20. The method of claim 1, determiningun-deployed data models using a mapping of features to data models,wherein the un-deployed data models each comprise a data model that ismapped to one or more of the un-deployed features of the application,and wherein the deployment GUI comprises a data model deployment statusindicating the un-deployed data models.
 21. The method of claim 1,determining un-deployed data models, wherein the un-deployed data modelseach comprise a data model that is associated with one or more of theun-deployed features of the application, and wherein the deployment GUIcomprises an indication of a number of the un-deployed data models. 22.The method of claim 1, wherein the one or more available features employpredefined search criteria for searching the machine-generated inputdata.
 23. The method of claim 1, wherein the application is configuredto employ searches of the machine-generated input data using alate-binding schema.
 24. A system comprising: one or more processors;and one or more memories comprising program instructions stored thereonthat are executable by the one or more processors to cause: determiningavailable features of an application that is currently deployed on acomputing device, wherein the available features comprise one or morecurrently deployed features and are configured to receive and usemachine-generated input data from one or more data sources of a datasystem; determining, during a current use of the application, that theavailable features further comprise one or more currently un-deployedfeatures based on a determination, during the current use of theapplication, that a portion of the machine-generated input data that isassociated with the one or more currently un-deployed features not beingavailable to the application based on a configuration of theapplication; and causing display of a deployment graphical userinterface (GUI) that comprises an indication of the currentlyun-deployed features.
 25. The system of claim 24, wherein determiningthe one or more un-deployed features comprises determining that the oneor more of the available features that is configured to use input datafrom a data source and for which the input data is not received from thedata source in the application currently deployed.
 26. The system ofclaim 24, further comprising, for each of the one or more un-deployedfeatures: determining a condition to deploy the un-deployed feature,wherein the deployment GUI comprises an indication of the condition. 27.The system of claim 24, wherein the one or more available featuresemploy predefined search criteria for searching the machine-generatedinput data.
 28. One or more non-transitory computer-readable mediumcomprising program instructions stored thereon that are executable byone or more processors to: determining available features of anapplication that is currently deployed on a computing device, whereinthe available features comprise one or more currently deployed featuresand are configured to receive and use machine-generated input data fromone or more data sources of a data system; determining, during a currentuse of the application, that the available features further comprise oneor more currently un-deployed features based on a determination, duringthe current use of the application, that a portion of themachine-generated input data that is associated with the one or morecurrently un-deployed features not being available to the applicationbased on a configuration of the application; and causing display of adeployment graphical user interface (GUI) that comprises an indicationof the currently un-deployed features.
 29. The medium of claim 28,wherein determining the one or more un-deployed features comprisesdetermining that the one or more of the available features that isconfigured to use input data from a data source and for which the inputdata is not received from the data source in the application currentlydeployed.
 30. The medium of claim 28, further comprising, for each ofthe one or more un-deployed features: determining a condition to deploythe un-deployed feature, wherein the deployment GUI comprises anindication of the condition.